Dam it, workstation monitoring is very interesting.
At the heart of the Bytesafe agreement is the monitoring of the server and the workstation. Monitoring just isn’t that sexy, although I have tried my best to explain the fantastic benefits over the years.
I would even go as far to say that some of the monitoring checks could even be described as over the top. I have even heard some people say that they don’t think that monitoring on a workstation to be that useful.
Interesting will depend on your viewpoint but useful they certainly are.
We called an amazed customer this week, explaining that one of the checks had failed and it was the predictive disk failure.
“Just check your backups and we will replace the disk before it goes.”
I can’t tell you how much time and inconvenience has saved for that very busy business man.
I can tell you straight, we do not use a stethoscope on a computer. But we are making workstation monitoring checks every 30 minutes all the time the computers are turned on.
First thing in the morning there are also daily safety checks. These are like a “snapshot” in time of the health of the workstation. These in turn automatically form a workstation report that you can get sent to you weekly.
So are workstation monitoring checks really necessary?
Most viruses enter into the network via a workstation. That means if you are not monitoring what is going on, then you will not know what has hit you.
Monitoring checks are about predicting and informing you about a hardware of software failure – so you can do something about it on your schedule rather than fire fighting.
Last week we created a script for a workstation to check for the presence of Quicktime. If Quicktime is present it removed it and replaced it with the K-Lite codecs. That check alone could save an entire network in the future.
So much of our work is just that, preventative checks on workstations to prevent problems even happening.
Daniel, one of my techs called a customer this week to tell him that his machine had just filled up his disk and it had failed a check. That would render the computer useless and it would appear to have happened randomly. The symptoms would have been that the machine would close down and then on restarting, the laptop would work normally until it would again shut-down.
This man is a business owner who is on the road and brings in an astonishing amount of business for his company. The last thing he needs is a useless laptop getting in his way.
We solved the issue by removing some files and the drama was over.
My favourite top 10 workstation checks (In order of usefulness)
- Predictive disk failure
- Disk space check
- Virus or malware check
- Critical events check
- Vulnerability check
- Windows service DHCP client check
- Windows service Task Scheduler check
- Windows service Security Center check
- Windows service Windows update check
- Windows service BITS check
(We both know that the “Security Center” should be called the “Security Centre” and the “Network Neighborhood” should be called the “Network Neighbourhood” – but that’s Microsoft for you)
Apart from saving a customer from a potential disaster which is why the predictive disk failure check is my favourite all of the other save my customers time. They also save me time because when I match them with some computer behaviour they make the fixes so much easier. In some cases the troubleshooting could take hours instead of just minutes.
One of my customers has requested a report on the load of a server over a period of time. From that report we will be able to see where the bottlenecks are. It’s a science thing so it helps with decisions as to whether to replace the server or not. Depending on the success or otherwise of the process I am considering making standard practice to report on this every six months.
It is like a “ring of steel” stopping nasties from getting to your network.
Bytedefender uses a different strategy to keep your systems safe.
It does this by proving an extra layer of security (nothing is infallible) by stopping the nasties from reaching your systems rather than dealing with them when they arrive. That makes sense to me and hopefully you as well.
Our 7 day FREE trials of our Bytedefender and Intrusion Detection System are starting in June 2016, we will install the Bytedefender box so that it will block viruses and spam. In fact it does a whole lot more than that and I have detailed it later on in this blog.
Each Bytedefender box will be installed on a Monday and pulled out on Friday afternoon. After each trial we will give you the reports on what it has caught and how much it is going to be of value to you.
The Bytedefender box has many characteristics of a normal computer but it concentrates all its power on scanning and analysing data and it is optimised for that. But it does so much more that detect viruses and spam, just take a look at the other benefits.
You can get back in control with you network by specifying the types of websites that your employees visit, whether by type of website or specific websites. You can make it so some of your people are not affected by this. Did you want to ban Facebook? No problem. Gambling sites? Easy. Our web filtering allows you to control the places on the internet where you do not want people to go.
Perimeter virus detection
Rather than each and every workstation having to scan and ban attachments for viruses our system stops them at the door. The infection is actually being detected by a Linux based system and the viruses are designed to attack Windows based systems so the viruses are pretty much powerless.
The same happens with spam and you can decide whether or not it is analysing the messages properly. The software has to make decisions on the sender, the subject line and the content of the email and there are key words that it looks out for. If you want to increase the detection rate you can.
It has a specific and separate phishing prevention which means that it looks out for email that are designed to get your details. Again this is stopping it all at source.
It has an advertising blocker. On the subject of advertising pop-ups, these pop-ups, this is just going to get worse. I see that a lot of my customers that will have this system just will not understand how bad it can get.
We can even speed up your browsing by turning on a web cache which remembers web pages and delivers them more quickly to your screen. What you see is the web just being about 5 times faster than it normally is.
For advanced configurations we can also get the system to inspect all the SSL traffic too. SSL is encrypted traffic so that means the all conversations can be analysed. Determined employees that wish to circumnavigate the Facebook ban will be caught here. It gives you the ability to check on visitors, visitor that get the wifi key have to monitored and restricted in where they are going.
The best until last the is the Intrusion Detection System which analyses connect attempts ad works out if they are hackers or not.
So it is first come first served 7 day trial. If a Firewall and IDS will work for you the reports will say so – it’s an evidence based trial.
Windows 10 upgrade ends in July 2016
The deadline is coming up pretty soon. For home users it was a very easy decision, you could decide whether you wanted to upgrade from Windows 10 if you thought it looked like and operating system that you could use. For business users it was very different.
Windows 10 for business has been adopted a lot more slowly for good reason. Businesses have a lot of “mission critical” applications which have to work with Windows 10 or it would be wise not to upgrade. More than that there are a lot of third party software Vendors that don’t support Windows 10 just yet. That could be a deal breaker for you. It isn’t that difficult, all you need to do is a software audit.
However, if you don’t upgrade now you will have to pay for the pleasure after July 2016. Worse than that, you will get nothing extra. Windows 7 will come to an end (just like Windows XP) and you then will have to upgrade to Windows 10. That is only 4 years away.
I’ve used Windows 10 ever since it came out, I have it on my laptop and I have it on my mobile phone – I think it is a great system and it works well.
Teslacrypt publishes encryption key
In the most peculiar announcement I have ever seen.
A person or persons that have released a deadly virus and then they say sorry and release the key!
The makers of Teslacrypt which inflicted misery to thousands of people all over the world by spreading viruses and then demanding a ransom payment have said “sorry” and handed over the encryption key.
That will be little comfort to the thousands of people that have lost their data and maybe even their businesses. It is likely that the people that have lost their data have already deleted their encrypted files also.
That does not mean that encryption viruses have had their day, far from it. The latest virus called Locky id the most devastating virus that we have come across and there is no way back. I wouldn’t expect that an encryption key for that will be released.
Pwned? Have your personal details been stolen?
How would you even know if you have been pwned?
There is a lot of scary computer stories going on at the moment. In fact there are so many stories that the tendency is to ignore them.
Now you might be able to find out for sure.
Adobe got hacked and some 152 million accounts got into the hands of criminals.
Ashley Maddison were compromised. That was the website that was in the news because it listed married men and women that were on the site to have extra marital affairs. A total of 30 million people were on that list.
Mate1 was 27 million, 000webhosts 13 million, R2games 13 million, Gamigo 8 million, Lifeboat accounts 7 million and 4.8 million Vtech accounts.
The one that is very interesting because of the way that it was used was the TalkTalk security breach. Criminal gangs are sending out emails and to add a massive amount of credibility they also included your own home address in the email!
Imagine getting an email with your home address inside it. Maybe you are going to believe that one to be OK, after all how would they know your home address?
There are a few services that will tell you whether your security has been breached. I personally would look beyond the widely respected https://www.haveibeenpwned.com.
There is no charge to do this.
The site was started by Troy Hunt. Troy is a Microsoft Regional Director and MVP awardee (Most Valuable professional). He is also an international speaker and author of many security courses on Pluralsight.
Just enter your email address and it will be checked against a regularly updated database of known security breaches. The results are displayed within seconds. Details of any security breach along with the sites or services will be shown.
All the website needs is your email address it will not ask for any passwords.
I checked my email addresses and I am on at least one of these lists. (the adobe one).
So what should you do if you have been pwned?
Assuming you try this out for yourself and you’re unfortunate enough that a breach has been detected then it is as this point that you’ll probably quite quickly want to login to that site/service and change the password in question.
I’d also recommend doing the same for any other site/service where the same password has been used.
I would also look at check the domain part out. You can put the entire domain for your company to see if anyone has had a security breach.
In summary then.
Yes, there are some scare stories out there about computer security but here is one example of getting some facts for you personally. I hope you find it useful.
Quicktime for Windows end of life could cause you some real problems.
A lot has been said about QuickTime for Windows just recently (in the IT press). It is interesting it is an Apple program that is causing a security issue with Windows PC’s. If you haven’t heard, Apple decided to stop security updates for QuickTime for Windows,
Read about the trouble it has caused and how it affect you.
We have some advice for you.
We therefore advise that you remove QuickTime for Windows asap. Even if you have a need for the program we have a great workaround for you.
Sadly, Apple have decided to withdraw their support in February 2016 by abandoning security updates for the program but they didn’t tell anyone that they were planning to do this. The news was leaked through an Anti-virus software company. Worse than that Apple are still allowing the downloads of this program knowing that it is a security risk. The problems have just started with virus writers specifically targeting computers with QuickTime for Windows already installed.
It is as if Apple want Windows users to have virus problems.
Apple have previous for this and acted in a similar way when they decided to withdraw security updates for Safari for Windows their Internet browser.
Even the US government are advising everyone to un-install it. Whilst that seems a strange thing for a government to do, software with vulnerablilities in them are often a souce of infect and crime..
Users are vulnerable at the moment if they visited a website with some browser plug-ins with Internet Explorer or Mozilla Firefox. Those problem are set to get worse as the virus writers work out additional and more clever ways of infecting.
That is, advice for customers that DO NOT have our latest Bytesafe services because the advice is different for our Bytesafe customers.
Our Bytesafe customers will have Quicktime for Windows automatically uninstalled and a safe replacement installed. No other intervention is required, no discussion needs to take place.
The reason for this is that all of our Bytesafe products have a feature which scans your computer for programs that need updating. That’s not major programs like Photoshop but programs like Java and Adobe flash. These programs are updated to the latest version and then the latest security patches are applied.
It is this feature that we can ask to uninstall a program and to Install the K-lite codes system for you. We have tested this process and it works like a dream.
For everyone else in the world (Not Bytesafe users) you need to go to Programs in the control panel and select Quicktime for Windows and uninstall it.
If you had needed Quicktime to run any videos like mp4’s and there is no way around it then we suggest that you use K-lite codecs and we suggest that you installed it via the Ninite website just so you can guarantee that you get the right program.
We therefore advise that you remove Quicktime for Windows asap.
LOCKY Update (Main LOCKY article is after this update)
We said it could happen. (I’m presuming that you have read the main article )
We just didn’t think it would be so quick. You remember that we installed a script that would automatically shut down a servers ability to share files and therefore render them impossible to infect by the LOCKY virus.
Boy are we glad we did what we did.
You may remember it was just 2 weeks ago that I told you about a script that we had installed on your server.
I wonder if people think that we were going over the top? After all the whole blog was in excess of 2000 words, we had graphics, we had a list of instructions on how to combat it and even had a video on the subject. It took us an entire day to prepare the material.
Were we over the top?
Do you know what has happened since?
Having a dangerous virus is bad.
Having one that can infect with such ease is really bad.
This particular virus is a nightmare just waiting to happen and it kept us awake at night. In fact, I can confirm that we wrote the script based on the fact that we were so worried about our customer networks. It means we can sleep at night knowing that we have done all we can to prevent this virus from impacting on our customer’s networks.
So what happened for me to update this blog?
THIS IS WHAT HAPPENED
Our Bytesafe Sever Vault script caught a virus dead in it’s tracks.
Just exactly as we had outlined.
It happened to one of our customers and the person who’s “fault” it was tricked in opening an attachment.
I say “fault” because it is easy to get fooled, she was waiting for a document just like the one that was attached.
When she opened the attachment nothing seemed to happen and she thought it was nothing.
Meanwhile the virus wet about its business in a systematic way infecting and destroying data on the workstation. It later reached the server and was halted in its tracks.
But not before it destroyed 12 files.
After that the game was up.
Bytesafe Server Vault script stopped sharing the data and nothing more could be infected. We got the 12 files back from the backup.
We contacted the customer because the customer was unaware that anything had happened. We got notified from our system which monitors all the servers that we look after.
I am not surprised that the lady in question opened the file. It was completely related to her job.
This part of the blog no way encourages the paying of the ransom for the encryption key. I do not even know if the key can be provided and whether it would even work. What I do know is that the people asking for the ransom were asking for Bitcoin.
Bitcoin is a currency that is not traceable in terms of transactions but for some reason the ransom demand has now turned to iTunes vouchers and Amazon vouchers. I would imagine that anyone wanting to spend a lot on Amazon with Bitcoins would be flagged up as a possible criminal.
The virus writers have changed tack and are now demanding to be paid with iTune or Amazon vouchers.
So, the script that we deployed took just 2 weeks to catch the virus and stop it dead in its tracks.
Now for the main article.
LOCKY ENCRYPTION VIRUS – from today your server is being protected from this deadly virus. (Bytesafe customers)
LOCKY is a powerful virus. We are pleased to announce an additional security measure that we’ve already rolled out to all Windows based servers covered by either a ByteSafe Silver, Gold or Platinum agreement and all at no additional cost.
Read on if you want to know how to troubleshoot the virus.
The script was gathered from the Internet community and hand coded into a Power Shell script and then tested and deployed by Systems & Solutions.
This Power Shell command protects servers from the Locky virus and others.
We will give this script to others, including IT support companies to use upon request.
This new system, which we’re dubbing the “Bytesafe Server Vault” actively monitors a server and all its shared folders for the presence of files or file types commonly associated with known strains of Ransomware (e.g CryptoLocker, CryptoWall etc). In the event that a known file or file type is detected all access to shared files and folders is removed before the virus has chance to do any real damage. Then, once the infected computer has been safely removed from the network, access to shared files and folders can then be restored again while said PC is carted off ready for disinfection or wiping/reloading.
Ransomware is software that demands payment to reverse the damage that it does and is very profitable fro the criminals that write the code.
Ransomware tends to be polymorphic by nature
This means that it creates copies of itself with slightly differing names. This means that it can succeed in avoiding detection by antivirus software. Once infection has been achieved the virus works its way in the background. It encrypts your important files (pictures, documents, spreadsheets etc.) until the point at which its finished when it then holds those files to ransom, demanding your hard earned cash in return for the decryption key which is required to unlock your files.
Locky will also work its way through all network files and folders
If the computer affected is connected to a network, it will work its way through all network files and folders. It does this in seconds and the damage is devastating.
During March 2016 we got to learn a lot about a new strain which goes by the name of “Locky” (yes, the same virus that hit the three hospitals in the States). We had two customers were hit and in both cases being able to restore all encrypted files from backups because we had an hourly backup regime. Things could have been a whole lot worse. While we were able to neutralize the threat and clear up the damage it had left behind it was nonetheless, disruptive and costly to the customer in terms of time.
We began looking into new ways in which we could prevent these types of attack from occurring in the first place. By the following week “Bytesafe Server Vault” was created from commands on the Internet put together into a Power Shell script.
Bytesafe Server Vault waits and checks for files created by the LOCKY virus and others. When it finds one, it shuts down the servers ability to share file. This means that the damage is minimal and the disruption to the business us negligible. We tested it on our systems before deploying it to all our customers servers. One problem we had was our monitoring system tries to automatically restart the service. We change the script to disable to the service which means that it survives even after a reboot.
It’s important to note that the best protection from viruses and other internet born threats is one consisting of a layered approach with Bytesafe Server Vault that final layer.
Head of Tech Support
We will share the Power Shell script with anyone that requests it. Here is our suggested approach on what to do should anyone detect the .LOCKY virus on your network server:
Solving the LOCY Virus on a large network.
- Find out that files are being called .LOCKY
- Get them to disconnect the network (hub)
- Get onsite and get onto the server
- Look at the properties of a .locky file, find out the user who changed the files and at what time were they changed
- Check over others if times are vastly different
- Identify that machine by the user
- Start that machine up disconnected from the network
- Identify the email that came in around that time
- Confirm the time that you need to working with
- Turn the network switch back on
- Restore files from backup. Select all files that have change or are new from the infected time
- Re-image the workstation, don’t bother to try an cleanse the virus
You are generally going to get a call from a customer says that they have discovered some strange files and their own files have disappeared.
You need to stop the infection spreading all over the network and I suggest that you do this by turning off the network switching hubs. They could be in the data cabinet – just power them down. That means that there is no communication between computers.
You can only do this by getting onsite. Remote access is no good now. Infection can be spread to any open shares on the network. If you tightly manage this than no real problems but be on the safe side and pull the plug on the network switch. This is an urgent issue and a “4 hour” response time will not be good enough in these circumstances.
Find the affected shares on the server and check over the properties of the infected files. The will have been modified by a particular user. Note the time they were modified. Check over more files just to see if there is more than one workstation infecting the files.
If the times are vastly different you could be looking for an additional machine or two that is also infecting but that would be unusual.
You should be able to identify which machine that user was using. I had a confusing situation when I found out that that same user was logged on to two different machines.
Point 7, 8 and Point 9
Check over the machine that is infecting all the files and go into Outlook and work out which email caused the damage and check that the times match. You can also run some anti-virus tools that will detect and destroy the process that locky is using.
It is safe to turn the network switch back on. The network will operate normally but you may have to reboot the workstations.
You have to restore the files from backup. The easiest way to do this is to find the most recent backup, mount it on the server and then Xcopy the files back by selecting missing files or newly created files. That means that you will only be restoring the corrupted files and not over writing files you don t need to. It will be quicker too.
Over time it maybe possible to cleanse this nasty virus from a workstation and for it to not come back. My advice would be to re-image it and start afresh. The virus writers are very clever and the virus changes on a regular basis, you do not need to take a risk when you can just re-image it.
Please watch the video on the subject:
There are 5 steps you should have in place already
- Mail filtering so you don’t emails containing the virus
- Up to date Office software so you don’t release the VBA code in the word attachment
- Free LOCKY protection available from Bitdefender.com
- Bytesafe Server Vault script
- Hourly local and then cloud backups
Mail filtering costs money every month and it is worth it. By not having the virus entering into your system in the first place means that your staff don’t have to be so on their guard. The social engineering that the virus writers use is proven to work so don’t take the risk.
Word 2010 had an in built function that you had to “enable editing” on attachments that came through the email system. The code cannot be released unless you enable editing. That was the reason why Microsoft put it in pace as an extra feature some time ago. I do however remember customers complaining about it!
This software is free to install on workstations. It is a good idea to deploy it. https://labs.bitdefender.com/2016/03/combination-crypto-ransomware-vaccine-released/
Run the Bytesafe Server Vault script on your server and then run the “updater” script.
Invest in hourly backups and have them synchronised to the cloud or off premises.
The virus writers are always going to be a threat and one day even hourly backup may not be enough. Data loss still may be possible even with all these approaches. It does give you maximum protection now.